11/09/2014

Bitdefender Labs Exploits Team had monitored the Rovnix Botnet (papras/ursnif/gozi), Malware Andromeda (Andromeda Virus) and analyzed the Malware DGA (Domain generation algorithm), sinkholed it, and observed its communication protocol to map current infection campaigns and get an idea of the overall size of the botnet. Bitdefender Labs advises users to keep their operating system, antivirus solution and other software up to date and to be aware of social engineering tricks prompting them to execute code on their computers.

Domain Generation Algorithm
The DGA (Domain Generation Algorithm) generates 5 or 10 domains per 3
months. Specifically, 5 or 10 domains will be generated for each of the
following group of months:

January, February, March

April, May, June

July, August, September

October, November, December

This means there are 20 or 40 candidate domain names per year. The number of the generated domains depends on the DGA version.
The domain names are obtained by concatenating words or their first
half as long as the domain name is composed of minimum 12 and maximum 23
characters. Both the words contained in the domain name and its top
level domain are chosen in a pseudo-random way from provided lists. The
randomness is ensured by a fixed seed number and by the year and months
for which the domains are being generated.
The word list is extracted from a publicly available text file, which
has a very small probability of being changed in the future, like
United States Declaration of Independence, GNU Lesser General Public
License, Request for Comments (RFC) pages, and specifications. In order
to be part of the list of candidate words, they must contain only
letters and be at least 3 characters long. Before being used, they are
converted to lower case.
Different versions of the malware use different files from which the
words are selected. Interestingly, the versions targeting United Kingdom
use the US Declaration of Independence.
For example, the domain names generated by the first version of the DGA for months January, February and March, 2014 are:

theseforbiddentandthe.eu

allsuchsuchreturned.com

landslegisrighthumble.eu

consentrulerallpretended.net

humthethcertainevi.com

theunhasthatinestthmust.net

otheovtheeatci.net

eathapublishtthe.eu

whichdepositoryswath.cn

dissolutionsconvufrom.com

Sinkholed Domains
We have sinkholed so far one domain for each of the 6 versions we
found in the wild. In the following table, the seed, the words file and
the used top level domains are specified for each version.

Most domains are still valid for the bots. For example, the last four
domains listed in the next table have been receiving requests only two
weeks, but are still to receive them in the following two months.
Because of this, the number of infected bots contacting them is still
expected to increase considerably, like the ones for the first 2 domains
did.

Domain

Sinkholing Date

Targeted Countries

Total Number of Reported Infections

taxes[removed].net

04 August 2014

Netherlands, France, Belgium

27.455

dissour[removed].biz

10 September 2014

United Kingdom

129.754

bufa[removed].tk

14 October 2014

Bulgaria

11.441

operation[removed].eu

22 Octomber 2014

Poland

10.055

youorig[removed].de

22 October 2014

Bulgaria

1.630

specific[removed].biz

22 October 2014

Bulgaria

3.394

However, the countries being targeted are already obvious. Proof lies
in the fact that the number of infections reported for the most
infected country is much higher than the second most infected country.
For illustration purposes, note the top 5 most infected countries for
each version.
The following images illustrate the number of infections reported for
every country, emphasizing on top 5, for each version since sinkholing
date. Note how various campaigns target specific countries.

Communication Protocol
The last campaign seems to be the most recent one as it is the only
one in which the data being reported to the Command and Control server
is first encrypted and after this a base64 is applied. On the data sent
by the other three campaigns, only a base64 is applied.
There are three different types of requests:

1. Configuration report is performed by a request following the
template: GET /c[random].php?[random]=[data] Examples of Requests for
Configuration Report are as follows:

This technique helps the malware to bypass traffic filtering / signatures.
In the case of the unencrypted requests, we can apply a base64
decoding on the [data] field and extract the information. For example,
the configuration request

Note that the first parameter has both the name and value randomly
generated which ensures that different base64 encodings / encryptions
are received for the same request (that is for the same user contacting
the same server with the same bot version and requesting/reporting the
same data).